FAQ : IDEAL Alerter

Monitor, Alert and React on your Windows Servers and Stations

Search Help  

FAQ: Help

By using this search engine, you can search one or more terms in the complete Pointdev FAQ.

  • In order to look for one or more keywords, type them in the search field using space to separate them.

    ex : remote control

    This search will show you every FAQ containing the word "remote" OR "control".

  • In order to look for a full sentence, use the quotes " " around your keywords
  • ex : "remote control"

    This search will show you every FAQ containing the whole word "remote control".


 Title and Content
 Title only

Examples of alerts

Audit access to files and directories

Alert : How to audit access to files or directories ?

It can be sometimes necessary and judicious to be warned when a user is accessing a shared resource.

This example describes the procedure to use in order to audit on a workstation or on a centralized resource (e.g: a file server), all the access of users (read, copy, selection) to a specific file or directory.

An email which contains the observation and reaction report will then be sent to warn the administrator.

This topic can also be used as a starting point to audit other types of objects (registry key, printer...), for a success, or failure attempts, and this accoring to a group of users, a list of users, or computers. The approach will be then relatively similar.

Requirements before creating the alert with IDEAL Alerter :

  • The file system of the disk hosting the resource must be a NTFS format.
  • Simple file sharing must be disabled: This is in Windows Explorer / Tools / Folder options / View tab: "Use simple file sharing (Recommended)" : please, UNCHECK this feature
  • Enable auditing in the local security policy : Administrative Tools / Local security policy (or secpol.msc command). In the Local policies menu, Audit Policy, select Audit object access. Then choose to audit the succesfull attempts.
  • Set the objects to be audited : To add an audit on the desired file / directory : Right click/ Properties on the file, Security tab then Advanced. In the Auditing tab, select the type of objects (Users, groups, computers ...) then add the objects you want to audit.

Check List folder / read data.

If the audited object is a directory,  it is also possible to apply the observation to sub-objects (files / folders). Then apply the auditing.

With IDEAL Alerter :

  • Create a new alert, named for example "Auditing shared folders access".
  • Add the following event to be monitored :

When a user is accessing a file / directory, the event logs generate excessive entries for the same action. Nevertheless, lit is possible to filter the events from their identifier, to keep only accesses on the audited objects.

Identifier 560 : Objects access (for 2003 Server, XP computers and previous OS).

Identifier 4656 : Objects access (for Vista, 2008 Server, 7 computers).

The description "MySharedFolder;READ_CONTROL" identifies here the name of the monitored directory (MySharedFolder) and the access mask to this folder (READ_CONTROL).

The state after detection "Continue the observation", enables to infinitely pursue the monitoring of security logs

  • Add the following action to be performed :

Fill in the different settings required to send the Email.
If the SMTP server requires an authentication, check "Use authentication", then enter the authentication information.
The communication with the SMTP server can be easily tested by clicking on the "Test" button.

  • Select the target computers on which the alert must be applied :

  • Confirm the alert creation by clicking on the "OK" button.

Last modification: 02/19/2010

Previous
   
Next

Back to the list

 



FAQ : IDEAL Administration | IDEAL Dispatch | IDEAL Remote | IDEAL Migration



IDEAL Alerter 2.0
Back to top